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SYSTEM AND METHOD FOR VERIFICATION OF IDENTITY 



Field of the Invention 

5 

This invention relates to a system and method for establishing an identity of a 
user and, more particularly, to a system and process for identifying a user to electronic 
systems such as processors, computers, and computer and electronic networks. 

Background of the Invention 

10 Prior art methods of computer and internet security such as cryptographic 

Q processes, tokens, dongles, so-called "uncopyable media," and various executable 

. software protection schemes fail to prevent identity fraud. Such methods are 

'5 incapable of ensuring that the person or entity at each end of a transaction is who he 

l=L says he is. Because of the anonymous nature of the internet, the security of e- 

j~ 15 commerce-related information and transactions is a serious problem. At the center of 

* the problem are those individuals who steal other persons 5 identities so as to perform 

p fraud, pranks, vandalism, espionage and other illegitimate activities. Thus, the 
predominant internet security issue is identity authentication. 

While authentication takes various forms, authentication of individuals is 
20 particularly desirable. Authentication is directed to verifying that the individual 

seeking access to and/or through a server is in fact who that individual claims to be, 
and not an impersonator. This authentication relies on verification being performed at 
or above a predetermined minimum level of confidence. At the same time, 
authentication is generally an early hurdle that the individual must clear to conduct 
25 internet transactions with the server. 

The traditional method for authenticating individuals has relied on secret 
passwords. Password-only authentication can be implemented entirely in software. 
However, password-only authentication has a number of disadvantages. For example, 
a password's viability is enhanced, among other ways, by increasing its length, by 
30 controlling its composition and by it being frequently changed. This, however, is 
cumbersome and, additionally, passwords can be lost or stolen, particularly written 
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passwords. Passwords can be inadvertently disclosed to crackers via various ploys, 
such as observing the password's entry on a keyboard. Moreover, passwords can be 
intercepted as they are transported from the user to the desired server. Consequently, 
password-only authentication fails to provide adequate security. 

5 Internet-based applications are flooding into areas that can benefit from 

enhanced security. Examples of such web-based applications include commercial 
transactions (e.g., loans and the purchase and sale of goods), banking transactions 
(e.g., electronic funds transfer), and medical transactions (e.g., provision of medical 
records in emergency situations). The internet is redefining commerce by eliminating 
10 the constraints of time and distance. World internet commerce sales are projected to 
□ reach between $1.7 and $3.5 trillion by the year 2003 (Source: Forrester Research, 

•~ Inc.). Identity information and the authentication thereof will drive this explosion. 

IB However, many are uncomfortable with the current privacy protections. Although the 

iif Merchant's Association reports that e-business is growing by 200% annually, only 

: s 15 about 5% of consumers visiting a website actually make purchases. The primary 

*i reason for this discrepancy is consumers' concern about privacy and online security. 

12 Has Business Accepted the Self-Regulation Challenge? Federal Trade Commissioner 

j ^ Mozelle Thompson, Privacy in American Business, Fifth Annual Conference Journal 

£3 (Feb/March 1999). Moreover, a recent Business Week/Harris Poll confirms that 

? ~ 20 almost two-thirds of non-internet users would be more likely to start using the internet 

if the privacy of their personal information and communications would be protected, 
and that privacy was the primary reason individuals are choosing to stay off the 
internet, coming in well ahead of cost, concerns with complicated technology, and 
unsolicited commercial e-mail. Business Week/Harris Poll on Online Insecurity, 
25 Lewis Harris & Associates, Inc., New York, March 1998. 

Additionally, a 1996 Harris Poll reported that 24% of Americans have 
personally experienced a privacy invasion, which is up from 19% in 1978. The same 
survey found that 80% of Americans felt that consumers have lost all control over 
how personal information about them is circulated and used by third parties. 
30 Equifax/Harris Consumer Privacy Survey, Lewis Harris & Associates Inc., New 

York, February 1996. Indeed, such fears have been confirmed by actual incidences of 
identity theft reported by the media. See, e.g., Hacker Discloses 350,000 Numbers: 




3 



Web Retailer's Credit Security Breached, Chicago Tribune, Business, p. 1 (January 
11, 2000); Doubts Triggered Over Web Shopping, Assoc. Press, January 20, 2000 (A 
"19-year-old Russian" claimed to have stolen 300,000 credit card numbers by 
exploiting a flaw in CD Universe's System). Accordingly, there is an acute need in 
5 the art for a system and method for verifying identity which goes beyond known 
systems and methods where a user's submitted identity information is not cross- 
checked against a database of identity information to halt fraud and/or determine the 
likelihood of an attempt to use fraudulent information. 

Obviously, there is a multitude of instances where it is necessary to verify that 
10 an individual requesting access to a service, an e-commerce transaction, or a facility is 
in fact authorized to access the service, execute the transaction or enter the facility. 
For example, such services include banking services, or telephone services, while the 
facilities may be for example banks, laboratories, computer systems, or database 
systems. In such situations, users typically have to write down, present a card, type or 
15 key in certain information in order to send an order, make a request, obtain a service, 
perform a transaction, transmit a message, or enter a facility. Verification or 
authentication of a customer prior to obtaining access to such services or facilities 
typically relies essentially on the customer's knowledge of passwords or personal 
identification numbers (PINs), possession of a card or token, or by the customer 
20 interfacing with a remote operator who verifies the customer's knowledge of 

information such as name, address, Social Security number, city or date of birth, 
mother's maiden name, etc. In some special transactions, handwriting recognition or 
signature verification is also employed. 

However, such conventional techniques present many drawbacks. First, 
25 information typically used to verify a user's identity may be lost or stolen and, with 
existing technology, a criminal may find it easy to obtain such personal information 
such as the Social Security number, mother's maiden name or date of birth of his 
intended target. The shortcomings inherent with the conventional security measures 
have prompted an increasing interest in biometric security technology, i.e., verifying a 
30 person's identity by personal biological characteristics, such as voice printing, finger 
printing, iris scans, etc. However, even with biometric systems of the prior art, no 
attempt is made to cross-reference the user's alphanumeric identity data (i.e., name, 
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address, Social Security number, etc.) against a database of identities which can 
determine, to a high degree of certainty, whether the alphanumeric identity data being 
offered with the biometric identity data is suspicious and/or subject to fraud. Without 
such cross-checking, a criminal submitting a biometric exemplar together with stolen 
5 alphanumeric identity data cannot be recognized as the fraud that he is by the 
anonymous computer systems which are so prevalent today. 

Accordingly, a need exists for improved network and internet-based systems 
and methods to verify identities. 

Summary of the Invention 

10 The system of the present invention provides an identity-based access control. 

It defines the authority and delegation of authority to access information, and provides 
for accountability. The present invention permits the ordering of goods and services 
in a secure manner over an open and anonymous environment such as the internet or 
other insecure network. The present invention further permits the payment for goods 

1 5 and services to be transmitted across an open network without fear of diversion to an 
unauthorized payee. It permits the delivery of intangible personal property and 
various electronic products in a secure fashion over such open networks. 
Additionally, the present invention permits the negotiation and formation of contracts 
in a secure manner over open networks; permits the conduct of auctions in a practical, 

20 reliable and trustworthy manner;' permits the execution of guarantees in a trustworthy 
and reliable manner; permits the handling of various securities transactions, including 
stock purchases, in a secure fashion; and has the advantage of providing a consistent 
application programming interface which can be utilized in all types of transactions 
for ensuring security and authenticity of identities. 

25 The invention is also directed to a method of conducting electronic commerce 

over an unsecured network by enrolling users in an infrastructure system to create an 
identity escrow or "virtual safety deposit box" for each user, and by verifying the 
authenticity of each electronic transaction by the user supplying a biometric sample 
with each transaction such that the biometric sample serves as t he "key" to jhgaisen's 

30 identity escrow^jmd^to the escrow to transmit a message to a third party 

that the user is who he says he is. 
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These and other advantages and objects of the invention are achieved by 
providing a system for verifying identities comprising an enrollment system having: 
(i) at least one alphanumeric input device;(ii) at least one biometric input device; (iii) 
at least one header file database having a plurality of identities; (iv) at least one search 
5 engine, said search engine in communication with said header file database such that 
said search engine receives an alphanumeric data signal which has been input into 
said alphanumeric input device by the user, and then searches said database for 
identities that match the alphanumeric data according to a predetermined first set of 
criteria; (v) a processor to score the set of identities matched by said search engine 
10 according to a predetermined second set of criteria, said processor capable of 

determining the acceptability or unacceptability of said user's input alphanumeric data 
" based on said score; and (vi) an identity escrow database which is in communication 

*P with said processor and receives from said unit an approved identity data signal based 

i jj on the acceptability of the score, said escrow database additionally in communication 

\2 - 15 with said biometric input device capable of receiving at least one biometric identity 

M data signal input by the user to said biometric input device, said escrow database 

q further comprising means for coupling the approved identity data signal and the 

biometric identity data signal to create at least one subfile within the escrow database 
M for each user comprising the approved identity data signal and the biometric data 

j5 20 signal. 

The present invention further comprises a verification system for verifying the 
identity of said user after the user has enrolled in the enrollment system. The 
verification system has means for processing a second biometric data signal input by 
the user to the biometric input device to determine a match of the user's preexisting 
25 biometric data in said escrow database according to a predetermined third set of 
criteria. Finally, the verification system has an output device for transmitting to a 
third party whether or not a match was located within said escrow database for said 
user. 

The present invention additionally comprises a system and method for 
30 providing a warranty to users against identity theft. 
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Still other objects and advantages of the present invention will become readily 
apparent to those skilled in the art from the following drawings and detailed 
description, wherein only the preferred embodiment of the invention is shown and 
described simply by way of illustration of the best mode contemplated of carrying out 
5 the invention. As will be realized, the invention is capable of other and different 
embodiments, and its several details are capable of modifications in various obvious 
respects, all without departing from the invention. Accordingly, the drawings and 
description are to be regarded as illustrative in nature, and not as restrictive. 

Brief Description of the Drawings 

10 Figure 1 is a block diagram view of an embodiment the computer system of 

q the present invention. 

s £ Figure 2 is a block diagram view of an embodiment of the enrollment system 

m 

5 fs of the present invention. 

is, 

jjt Figure 3 is a bar graph of fraud arrests per capita ranked by state, 

t: 15 Figure 4 is a line graph of fraud arrests per capita ranked by state. 

M Figure 5 is a line graph of fraud arrests per capita ranked by state. 

jlf 

M * Figure 6 is a block diagram view of an embodiment of the verification system 

q of the present invention. 

Figure 7 is a screen display of an embodiment of the present invention. 
20 Figure 8 is a screen display of an embodiment of the present invention. 

Figure 9 is a screen display of an embodiment of the present invention. 

Figure 10 is a screen display of an embodiment of the present invention. 

Figure 1 1 is a screen display of an embodiment of the present invention. 

Figure 12 is a screen display of an embodiment of the present invention. 

25 Figure 13 is a screen display of an embodiment of the present invention. 

Figure 14 is a block diagram view of the warranty system of the present 
invention. 
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Description of the Preferred Embodiments 

The principles and operation of the system and method of the present 
invention may be better understood with reference to the drawings and accompanying 
description. Fraud is epidemic and growing at five to ten times the rate of overall 
5 economic growth. This dramatic increase in growth can be largely attributed to the 
concomitant proliferation of digital systems and the naive use of "fraud detection" 
systems. 

Scam artists are knowledgeable about the detection systems and use the 
detection system's own logic to defeat them. These systems took the seemingly easy 

10 route in design and are built upon the detection of "suspect" transactions. Knowing 
which transactions might be "suspect" is only a starting point - not an end in itself. 
The best measure of such systems (frequently expensive neural network systems) is 
their early success followed by massive increases in fraud. This is much like the 
growth of a bacteria that becomes resistant to antibiotics. The present invention 

15 differs dramatically in its approach by concentrating on the perpetrator of the fraud 
rather than the fraudulent transaction. This results in increases in efficiency and 
effectiveness at far lower cost. 

1* System Components, 

A. Enrollment System Components, 

20 FIG. 1 illustrates a high-level block diagram of a computer system which is 

used, in one embodiment, to implement the method of the present invention. The 
computer system 10 of FIG. 1 includes a processor 12 and memory 14. Processor 12 
may contain a single microprocessor, or may contain a plurality of microprocessors 
for configuring the computer system as a multi-processor system. Memory 14, stores, 

25 in part, instructions and data for execution by processor 12. If the system of the 
present invention is wholly or partially implemented in software, including a 
computer program, memory 14 stores the executable code when in operation. 
Memory 14 may include banks of dynamic random access memory (DRAM) as well 
as high speed cache memory. 
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The system of FIG. 1 further includes a mass storage device 16, peripheral 
device(s) 18, input device(s) 20, portable storage medium drive(s) 22, a graphics 
subsystem 24 and a display 26. For purposes of simplicity, the components shown in 
FIG. 1 are depicted as being connected via a single bus 28. However, the components 
5 may be connected through one or more data transport means. For example, processor 
12 and memory 14 may be connected via a local microprocessor bus, and the mass 
storage device 16, peripheral device(s) 18, portable storage medium drive(s) 22, and 
graphics subsystem 24 may be connected via one or more input/output (I/O) buses. 
Mass storage device 16, which is typically implemented with a magnetic disk drive or 
10 an optical disk drive, is a non- volatile storage device for storing data and instructions 
for use by processor 12. In another embodiment, mass storage device 16 stores the 
computer program implementing the method of the present invention. The method of 
the present invention also may be stored in processor 12. 

Portable storage medium drive 22 operates in conjunction with a portable non- 
1 5 volatile storage medium, such as a floppy disk, or other computer-readable medium, 
to input and output data and code to and from the computer system of FIG. 1. In one 
embodiment, the method of the present invention is stored on such a portable 
medium, and is input to the computer system 10 via the portable storage medium 
drive 22. Peripheral device(s) 18 may include any type of computer support device, 
20 such as an input/output (I/O) interface, to add additional functionality to the computer 
system 10. For example, peripheral device(s) 18 may include a network interface 
card for interfacing computer system 10 to a network, a modem, and the like. 

Input device(s) 20 provide a portion of a user interface. Input device(s) 20 
may include an alphanumeric keypad 46 (FIG.2) for inputting alphanumeric and other 

25 key information, or a pointing device, such as a mouse, a trackball, stylus or cursor 
direction keys. Biometric input device 48 (FIG.2) is another type of input device 
useful in the present invention. All such devices provide additional means for 
interfacing with and executing the method of the present invention. In order to 
display textual and graphical information, the computer system 10 of FIG. 1 includes 

30 graphics subsystem 24 and display 26. Display 26 may include a cathode ray tube 
(CRT) display, liquid crystal display (LCD), other suitable display devices, or means 
for displaying, that enables a user to view the execution of the inventive method. 
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Graphics subsystem 24 receives textual and graphical information and processes the 
information for output to display 26. Display 26 can be used to display component 
interfaces and/or display other information that is part of a user interface. The display 
26 provides a practical application of the method of the present invention since the 
5 method of the present invention may be directly and practically implemented through 
the use of the display 26. The system 10 of FIG. 1 also includes an audio system 30. 
In one embodiment, audio system 30 includes a sound card that receives audio signals 
from a microphone that may be found in peripherals 18. Additionally, the system of 
FIG. 1 includes output device(s) 32. Examples of suitable output devices include 
10 speakers, printers, and the like. 

The devices contained in the computer system of FIG. 1 are those typically 
found in general purpose computer systems, and are intended to represent a broad 
category of such computer components that are well known in the art. The system of 
FIG. 1 illustrates one platform which can be used for practically implementing the 
15 method of the present invention. Numerous other platforms can also suffice, such as 
Macintosh-based platforms available from Apple Computer, Inc., platforms with 
different bus configurations, networked platforms, multi-processor platforms, other 
personal computers, workstations, mainframes, navigation systems, and the like. 

Alternative embodiments of the use of the method of the present invention in 
20 conjunction with the computer system 10 further include using other display means 
for the monitor, such as CRT display, LCD display, projection displays, or the like. 
Likewise, any similar type of memory, other than memory 14, may be used. Other 
interface means, in addition to the component interfaces, may also be used including 
alphanumeric keypads, other key information or any pointing devices such as a 
25 mouse, trackball, stylus, and cursor or direction key. 

In a further embodiment, the present invention also includes a computer 
program product which is a storage medium (media) having instructions stored 
thereon/in which can be used to program a computer to perform the method of 
interfacing of the present invention. The storage medium can include, but is not 
30 limited to, any type of disk including floppy disks, optical disks, DVD, CD ROMs, 
magnetic optical disks, RAMs, EPROM, EEPROM, magnetic or optical cards, or any 
type of media suitable for storing electronic instructions. 
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Stored on any one of the computer readable medium (media), the present 
invention includes software for controlling both the hardware of the general 
purpose/specialized computer or microprocessor, and for enabling the computer or 
microprocessor to interact with a human user or other mechanism utilizing the results 
5 of the present invention. Such software may include, but is not limited to, device 

drivers, operating systems and user applications. Ultimately, such computer readable 
media further includes software for performing the method of interfacing of the 
present invention as described above. 

As illustrated in FIG. 1, computer system 10 is coupled to network 34, such as 

10 the internet 40, across communications lines 36. Preferably, the communications 

lines 36 are dedicated lines (e.g., LAN, WAN, standard dialout phone line, dedicated 
lease line, DSL) with a frame relay (or point-to-point) connection. Computer system 
10 may be directly linked to third party vendees (e.g., banks and other financial 
institutions) with the software of the present invention rather than communicating 

15 with computer system 10 through the internet. The third party computer systems 38 
are, for example, a mainframe or PC's of at least XX486 processing ability (e.g., 
Pentium CPU) having a one gigabyte drive, 16 megabytes of RAM (random access 
memory), with typical I/O accessories including a keyboard, display, mouse and 
printer, or similar workstation. Each of the third party computer systems 38 and 

20 system 10 (specifically storage device or server 16) also have a modem (e.g., CSDSU, 
TI communication, or cable modems) for coupling to the communication line 36 and 
enabling communications between system 10 and third party computer system 38. 

Mass storage device or server 16, output device or server 32 and memory 14 
may be implemented by one digital processor 12. In that case, consolidation, 

25 scheduling, initial and subsequent segmenting of customers and execution of working 
programs are accomplished through the one processor running the inventive software. 
Neural networks may be employed to operate on mass storage device 16 and portable 
storage medium drives 22 to learn each individual customer's purchasing behavior 
and segment customers and potential customers accordingly. As used herein, 

30 "customer(s)" is the person who is the subject of the identity verification. 
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Further, instead of the neural networks, a multiple regression correlation based 
on the customer data in devices 16 and 22 may be used for segmenting customers. 
Alternatively, rule based expert systems may be similarly employed in the present 
invention to provide dynamic behavioral segmentation. 

5 The expert system comprises a set of decision rules which operate to 

"customize" the processing and output of the software system used in the enrollment 
and verification of each customer, based on certain customer-specific input data. The 
decision rules define the logic used to make decisions which, in turn, becomes 
additional inputs to the software system for the purpose of customizing the output 
10 presented to the customer. 

In a further example, and as more fully described below, the invention may be 
employed on the internet 40. A website can be created with a home page with topic 
selections and links (e.g., Hypertext HTML technology) to appropriate software 
programs 42 triggering questionnaires, identity verification and the transmission of 

1 5 information. In particular, for each topic selection there is a respective hyperlink to a 
software program 42 and optionally an event 44 for initiating the program 42. Upon 
the customer's selection of a topic from the home page, the present invention applies 
the linked event 44, if any. If the criteria of the event 44 are met (or if there is no 
initiating event 44), then the present invention executes the corresponding working 

20 program 42. This results in the working program 42 contents being transmitted online 
to the customer. 

In another embodiment, the present inventive system 10 is based at a main site 
of a company. Different branches, departments and/or sites of the company may 
utilize the system from separate workstations as though they are the separate systems 
25 10. 

Referring to Figs. 1 and 2, the computerized enrollment system 50 comprises 
alphanumeric keypad or input device 30 and biometric input device 32. 
Alphanumeric input device 46 can be any device capable of capturing alphanumeric 
data from a user, such as, for example, a standard personal computer, hand-held 
30 computer, or other scuzzy device, or a telephone, pager, or other suitable 

telecommunications device. To enroll in system 50, the user enters alphanumeric 
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identity data into device 46 such as first name (FN), middle initial (MI), last name 
(LN), address, e-mail address, telephone numbers, Social Security number (SSN), 
etc. Such identity data is transmitted as a digital signal to alphanumeric storage buffer 
52 where it is stored in a suspense file. Buffer 52 can be any storage device used in 
5 the art capable of temporary or suspensory storage. The user's identity data signal is 
then transmitted from buffer 52 to filter/stripper 54 where the user's first name, 
middle initial, last name and Social Security number are stripped away and separated 
from the user's other identity data to form alphanumeric identity data signal 56. The 
other portion of identity data is stored in a separate storage device (not shown). 

10 Signal 56 is then transmitted to normal name (NN)/common name (CN) filter 58. 
Filters 54 and 58 are standard filter devices well known in the art. The purpose of 
filter 58 is to differentiate between very common names (e.g., John Brown, Al Smith) 
that occur more than about 40,000 times in database header file 60, which contains 
hundreds of millions of identity records. Thus, NN/CN filter 58 is programmed to 

15 distinguish between such common names and normal names (i.e., those appearing in 
file 60 less than about 40,000 times). 

As further explained below, when search engine 54 builds keys for each user's 
identity data signal, different keys and weighting instructions are used for common 
names versus normal names. The primary difference is that the numeric component 
20 (i.e., SSN) of a common name record is weighed more heavily than the alphanumeric 
component as a predetermined first set of criteria. Consequently, the user's identity 
data signal is modified to identify it as an NN or CN to search engine 62. 

Search engine 62 is comprised of search software known in the art, such as 
SSA-3 available from Search Software America. Search engine 62 is installed and 

25 configured to run on and sort header file database 60. Database 60 contains one or 
more header files available from the commercial credit bureaus such as, for example, 
Equifax or Deluxe Corporation. The header file contains identity information (i.e., 
names and Social Security numbers) of hundreds of millions of identity records. 
Because there are only about 160 to 180 million people in the United States who 

30 could be in database 60, most individuals appear in the database more than once. 
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Upon the initial installation of header files to database 60, search engine 62 
first searches the header files against themselves to sort the similar or related 
identities into sets, and to locate sets of identities that contain suspicious variations of 
identity information. The matching identities of database 60 are scored (as explained 
5 below) according to a predetermined second set of criteria to determine the suspicious 



After search engine 62 performs the initial sorting and scoring of all identity 
records, it is ready to be presented with a user's enrollment identity data record from 

10 filter 54. The data signal of the user's alphanumeric identity record from filter 54 is 
assigned its own set of keys (i.e., FN, MI, LN, SSN, NN, CN) in search engine 62's 
software. These keys are a predetermined set of criteria, which are used to search 
database 60 for matching identity records. The user's keys are compared with the 
keys in the credit bureau header file database 60, and the returned matching identities 

15 are scored as shown below to determine the deviation from the captured alphanumeric 
identity data. 

Key: 

NN = NORMAL NAMES 
CN = COMMON NAMES 
20 FN = FIRST NAME 
LN = LAST NAME 
MI = MIDDLE INITIAL 
SSN= SOCIAL SECURITY NUMBER 



25 0=0 CHANGES IN IDENTITY DATA 

1=1 CHANGE IN IDENTITY DATA 

2=2 CHANGES IN IDENTITY DATA 

3=3 CHANGES IN IDENTITY DATA 

2T=2 TRANSPOSITIONS IN IDENTITY DATA 
30 T=FN/LN TRANSPOSITION AND 1 CHANGE IN IDENTITY DATA 

T+l=TRANSPOSITION AND 1 CHANGE IN IDENTITY DATA 

&=ADDITION OR ABSENCE OF MI IN IDENTITY DATA 

Y=NAME OR MI CHANGE INTDENTITY DATA 



records. 



B. 



System to Recognize Deceptive Identities. 



35 



Italics = Alternate means of change in data 

Note: Diminutives and nicknames are not recognized as a change. 
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As the scores increase, generally changes become subtler. As scores increase 
from 50 to 100 they represent changes in groups from two or more individuals to a 
single individual making suspicious changes. At 96 to 97 there is a transition from 
suspicious to innocent changes. 



= most suspicious manipulations, i.e., scores of 76 through 97 



The following charts represent the relative distribution used to score the various data 
deviations and to determine the likelihood of a fraudulent manipulation. 
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Minimal name change. 



With or without the deletion and/or 
addition of a middle initial. 
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Minor name change: Brown to Browne, 
typically a single letter, or addition of 
hyphenated name and 3 digits changed. 
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Three changes: 2 SSNs changed and 
1 name change, or 2 name changes and 
1 SSN change, or name transposition and 3 
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SSN changes, Name changes are 
typically trivial and usually phonetic. 
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* Aberration, significant first name and 
MI change with no SSN change, only 
one example found. 
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Name changes are significant with 
more than 1 letter involved. 
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Addition or subtraction of MI and 
3 SSN changes. 

With or without the deletion or addition 
of the middle initial. Digit changes 
frequently subtle (7 to 8). 

Two digits plus a single transposed 
pair of numbers. 
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No name changes (except diminutive 
manipulations); 3 SSN changes. 

No Common Names in this score range. 
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Typically 2 changes; 1 name and 
1 SSN; 2 name; 2 SSN changes. 

Name and/or SSN transpositions 
are counted as a single change. 



No Common Names in this score range. 
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No Common Names in this score range. 
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SSN manipulation is rearrangement of 
3 digits, but no change in digits. 



No Common Names in this score range. 
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Any combination of 1 name change, 
and a middle initial change. 



No Common Names in this score range. 
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Primary type of change. 



Any combination of a name and middle 
initial change, and 1 digit change. 
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May include the use of a hyphenated 
name; not viewed as a name change. 
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of 2 numbers. 
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Also includes misplaced middle names, 
and 1 digit change. 
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Number changes are subtle 
(4 to 5; 2 to 3). 



Last name change is subtle; one or 
two letters deletion or substitution. 
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One name change and one SSN change. 



Rare occurrence. 

May include the occasional 
inclusion of a middle initial. 
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Typical change is a simple name 
change or a single digit change. 



No Common Names in this score 
range. 
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last name and 1 digit change. 
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No common Names in this score 
range. 
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Transposition of a single pair of digits. 

May or may not include an addition 
or deletion of a middle initial. 

Very subtle digit change: loop confusion 
(3 to 8) or one digit move (7 to 8) - this 
manipulation is rare in Common Names. 
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Typically, the addition of a single 
letter (ADAMS to AD AMES). 

Single digit change; very subtle 

(3 to a 4, or 4 to a 9 — loop confusion). 

No Common Names in this score range. 
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Addition or deletion of a letter, not a 
diminutive change; sometimes a similar 
name 

Addition or deletion or change of a 
single letter - either combination may 
be coupled with an addition or deletion. 

Only one occurrence in entire record set. 
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Name transposition, sometimes with 
the addition or deletion of a middle 
initial or subtle letter substitution. 
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Single letter change, possibly an 
addition, with or without a deletion or 
addition of a middle initial. 

Same subtle manipulation as above. 

Nearly all are Vietnamese or Middle 
Eastern names; very occasionally 
a Hispanic name. 
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Same as 96, but more subtle, yet 
not innocent. 



Not typically phonetic changes. 
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Single simple change, such as an 
error in transcription or handwriting 
error - probably innocent error. 
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Mostly simple transpositions of names 
with or without the addition or deletion 
of a middle initial. 

Frequently foreign names, probably caused 
by a lack of knowledge in the recording 
of the names - innocent. 

Change, or addition or deletion of a single letter. 

Change, or addition or deletion of a single 
letter. 



No Changes; duplicate record. 



C. Creation of Scoring Method, 

To achieve the above scoring system, applicant employed several unique 
search strategies. The first strategy relied upon the importance of context in giving 
meaning to the content of the information. For example, if the content of the 
information is "9 to 5," depending upon the contextual setting, the information may 
be one's working hours; or it might be the final score in the seventh game of the 
World Series. Context can dictate the meaning of the content. Thus, the context of 
the records derived from attempts to open checking accounts at banks was an 
important factor in how applicant analyzed the data. 

The second strategy relates to the premise that information may be false and 
should be treated that way. Since applicant was looking for attempts to defraud 
banks, he assumed the professional criminal was likely lying to the bank about who 
the criminal was. This is fundamental because if the criminal were to identify himself 
as someone who defrauded banks, the bank would be not deal with him. The 
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importance of this assumption of falsity for the information system was crucial. To 
prove that a criminal lied about his identity, applicant's goal was to find two identities 
purportedly belonging to the same person that were different, suspicious and mutually 
exclusive. 

5 Conventional wisdom dictates that the more information fields analyzed, the 

better the result. However, many of the information fields, such as addresses, drivers 
license numbers, phone numbers, etc., not only legitimately change over time, but are 
frequently obtained from unreliable sources. Dealing with unreliable and potentially 
innocent changes to information creates a burden and could well bias the final output 

10 of the system. Applicant focused entirely upon information that does not legitimately 
change over an individual's lifetime, except for very specific and known reasons, e.g., 
a woman changing her name when she marries. Alterations in the name fields and the 
Social Security number field could be assumed to be either innocent (e.g., the use of a 
nickname, or the adoption of a married name, or a typographical error), or suspicious. 

15 Therefore, applicant needed only to identify and screen out the known types of 
innocent and legitimate identity changes to be left with the suspicious changes. 

Because there is a nearly infinite range of identity changes possible between 
one person manipulating their identity and the real identity of a third person, applicant 
needed to carefully calibrate his system to draw the line between intentional 
20 suspicious alterations and innocent third party identities (i.e., false positives). This 
iterative calibration resulted in the above-stated scoring grids. 

The above scoring or benchmarking process is used to determine to a high 
degree of certainty whether a change in identity data is intended to deceive the 
recipient of the data. Applicant has determined that scores of 76 through 97 represent 
25 changes associated with an intent to deceive. Such determination about this scoring 
range resulted from applicant's analysis and measurement of fraudulent conduct in the 
United States. Using 1993 data from the Justice Department (Uniform Crime Report 
and affiliated documents) and census data, applicant constructed a model of fraud 
activity in the United States for 1993. 

30 Applicant plotted the number of fraud arrests per capita by state as illustrated 

in Fig. 3. And once the states were ranked according to fraud per capita, the curve 
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illustrated in Fig. 4 demonstrates an eight fold variation in per capita fraud rates. 
Accordingly, applicant found a large concentration of fraud arrests in very few states 
and very little change throughout the rest of the population. 

To ensure that the phenomenon depicted in Figs. 3 and 4 was not an artifact of 
the data, applicant then studied the census data, looking at 30 to 40 different factors 
such as number of children per family, education, income, address, zip code, account 
numbers, religious participation, etc., to determine which factors influenced the 
incidence of fraud arrests. However, the greater the number of factors analyzed, the 
greater the "noise" or false positives discovered because of the innocent changes 
associated with such data. Nevertheless, this exercise essentially identified the 
location of the fraud victims on the basis of these factors. States having high 
incidences of fraud had a positive relationship to Christian church membership, low 
education and low income. Such individuals may be the most susceptible to 
fraudulent transactions since they may be more likely to trust the perpetrator. 

In any event, analyzing 30 to 40 factors proved to create too much noise in the 
system and skewed the data. Based on applicant's years of experience of being 
involved in fraud cases, he has observed that perpetrators lie, but lie very little. 
Perpetrators desire to tell as much truth as they possibly can to establish their 
credibility. Credibility is crucial to their success. Today, a substantial amount of 
fraud takes place in banks. To verify identities, banks go to large data managers such 
as Equifax, Trans Union, Experian, etc. Thus, the perpetrator must successfully 
weave his way through such systems. He can only do so by manipulating his identity. 
The perpetrator prefers to reuse the transposed numbers and letters of an altered 
identity in a way that they appear innocent and can be explained away (e.g., 
typographical errors). In order for the criminal to defeat the systems in place at the 
credit reporting agencies and other record providers, the criminal need only make a 
subtle change in identity. Each single identity has tens of thousands of variations that 
do not require a significant name change. Criminals are expert in digital systems 
(most fraud is perpetrated by organized criminal elements), and can easily defeat all 
of the screening systems of the prior art. Applicant targeted this specific behavior as a 
means for identifying suspicious conduct that is likely to lead to a fraud loss if 
unchecked. 
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In order to solve the problem of excess noise and false positives, applicant 
employed an iterative searching process to determine which changes are innocent and 
which ones are fraudulent. A database representing about 56 million records of 
checking account openings in roughly the same period (1993) as the fraud data was 
5 supplied by a subsidiary of Deluxe Corporation. Because the geographic market 
penetration of the Deluxe data did not perfectly match the actual census data, the 
fraud model was normalized using standard techniques to account for the difference. 
A name matching fuzzy logic software package was acquired from Search Software 
American (Name 3). This name matching software allows for the fuzzy association of 
10 both alpha and numeric information with a wide range of nearly infinitely tunable 
association algorithms tied to the various identity data in the system. The data was 
first grouped into sets of matching or related identities. 

It was applicant's hypothesis that a curve of changes in the identity data 
(controlled for geographic location) would substantially match the curve of per capita 

1 5 fraud ranked by geographic location. Beginning with the default settings supplied by 
the search software, a curve of per capita associations (i.e., groupings of similar 
identities that represent the same digital identity) was generated and compared to the 
curve from the standardized (normalized) fraud model curve of Fig. 4 to determine the 
correlation between changes in the identity information in the grouping from the 56 

20 million records and the incidence of fraud per capita. Accordingly, applicant made 
changes in the association algorithms until an optimal match was obtained between 
the frequency curve generated from the Deluxe data, and the standard fraud curve of 
Fig. 4. As illustrated in Fig. 5, this optimal level was achieved at approximately a 
94.5% positive correlation between the two curves. The changes in the algorithms 

25 were iterative, usually relating to only one piece of identity data (e.g., address, zip 

code, and driver's license number). From this iterative process, applicant realized that 
the analysis of only names and Social Security numbers would result in the optimal 
match. Consequently, the scoring tables stated above represent the final iteration of 
the search algorithms and the optimization process used herein. The data in the final 

30 iteration was also analyzed for geographic location (i.e., location of the bank 

supplying the data) to ensure that the variable on the X axis used to overlay the two 
curves in Fig. 5 was the same. Because the Deluxe data used in obtaining the 94.5% 
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correlation did not contain data relating to per capita fraud arrests, the two curves in 
Fig. 5 were not controlled for the variable on the Y axis (i.e., percent of per capita 
arrests). Nevertheless, applicant postulated that the precise algorithm optimally tied 
to identity manipulations, which results in a curve most closely matching the curve of 
5 Fig. 4 would positively correlate to per capita fraud arrests. 

The above scoring charts and system resulted from that precise algorithm. To 
test applicant's results of a 94.5% correlation between the two curves, applicant 
compared the records of 188,602 individuals identified by applicant as having 
manipulated their identities in opening checking accounts with ChexSy stems' 

1 0 comprehensive Reported Names Database and obtained 188,41 5 record matches. In 
addition, applicant obtained the identities used by known perpetrators of bank fraud 
from a bank customer. From this list, 21 identity records that matched the timeframe 
of applicant's test data were blindly distributed within the 56 million records used for 
system development. Applicant's random chances of identifying the test records were 

15 21:56,000,000. Nevertheless, applicant successfully identified all 21 known 

perpetrators and identified no false positives. Applicant has further tested the system 
with successful results. 

After a user's alphanumeric data is scored by search engine 62, the system of 
the present invention continues the inventive enrollment process. If the score is 

20 within the acceptable limits of confidence and the submitted identity data are not 

suspicious, then the record is transmitted via output file 64 and affirmative step 66 to 
approved file 70. The suspicious sets of identity data determined by the above 
process are output via output file 64 and transferred to derogatory file 72 in step 68. 
File 72 comprises alphanumeric subfile 74 and biometric subfile 76, and will typically 

25 contain approximately 10 million such sets of suspicious records and approximately 
32 million identity records. Based on applicant's empirical data, these sets of 
identities have been intentionally manipulated by individuals for the purpose of 
deception. A copy of files 72, 74 and 76 are transmitted to database 60 as a folder to 
maintain the comprehensiveness of database 60 and to ensure the most accurate 

30 scoring when a user enrolls. The non-suspicious sets of identities remain in database 
60 and are copies of each other and innocent by nature. 
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The alphanumeric component of enrollment system 50 is illustrated by the 
following examples: 

Enrolling for the first time is: 

Abe Lincoln 123-45-6789 

Search 62 of database 60 identifies the following existing records: 

Abraham Lincoln 123-45-6789, Score 99 
Abraham Lincoln 123-45-6789, Score 98 
H. Abe Lincoln 123-45-6789, Score 96 

Abe's alphanumeric identity data is within acceptable limits and his data is 
transmitted to approved file 70 via output step 64. 

Enrolling for the first time is: 
William Clinton 987-65-4321 

Search 62 of database 60 identifies the following existing records: 

William J. Clinton 987-65-4321 score 100 

Bill Clinton 987-65-4321 score 100 

Clint Williams 897-65-4321 score 93 

William Clintock 987-65-4322 score 89 
William Clinton's alphanumeric data reveal suspicious records according to 
applicant's scoring system. William Clinton is not approved and his record is 
transmitted to derogatory file 72 with a copy in a derogatory file folder in database 60. 
Thus, if William Clinton attempts to enroll again, the derogatory data located in 
database 60 will be triggered, and enrollment is denied. 

The enrollment process continues with obtaining one or more biometric 
exemplars from the user using biometric input device 48. The system of the present 
invention can utilize any commercially available biometric, including face printing, 
voice printing, finger printing, retinal printing, iris printing and DNA mapping. 
Numerous biometric devices are known in the art, such as those available from Mytec 
Technologies of Toronto, Canada; Intelitrak Technologies of Austin, TX, and 
National Registry, Inc. of Tampa, Florida. Additional information regarding 
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biometrics can be found at the International Biometric Industry Association's website 
at www.ibia.org. 

Most users will opt for the use of voice printing biometrics because no 
additional computer equipment is necessary if the user's computer includes a 
microphone, as is the case with most computers. Alternatively, a signal can be sent 
from system 50 to the user's computer to put the user's modem on hold, to permit the 
user to employ a telephone handset to deliver a voice sample in the enrollment and 
verification processes. 

The biometric exemplar, in digital form as known in the art, is captured and 
transmitted via a communication network, preferably the internet, to the Central 
Biometrics Authority (CBA) 78, a system available from the International Biometrics 
Group (IBG), or other like system, to ensure that the particular biometric employed by 
a user meets the appropriate standard of sensitivity set for the type of device used and 
the type of transaction. 

CBA 78 has the ability to process the information from all commercially 
available biometric technologies and devices in a manner that captures the setting of 
the devices and the degree of certainty that the device is capturing the biometric. This 
includes such things as the number of attempts to certify the biometric, whether the 
certification is contemporaneous or stored, etc. This information is then integrated to 
match the desired or required certainty level for the party requesting verification. For 
instance, an online stock brokerage may desire a very high level of certainty for a 
$100,000 stock trade, but an online bookstore might only require a 51% certainty 
level for a $10 sale. 

Once the CBA 78 approves the submitted biometric, the biometric extract 80 
is transmitted to and stored in biometric suspense buffer 82. If the CBA 78 rejects the 
biometric exemplar from device 48 in step 84, a signal is sent to the user from CBA 
78 to resubmit another biometric exemplar. This process can repeat itself an 
unlimited number of times, although generally after a user's biometric is rejected 
three times, CBA 78 will send the user a message informing her/him to employ a 
different device 48. 
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Each biometric input device 48 is preferably linked to the alphanumeric input 
device 46 such that the biometric exemplar is identified as that of the user by name, 
address, Social Security number/ password, etc. Thus, each biometric record in 
suspense buffer 86 has some alphanumeric data identifier in order for it to be matched 
with the user's alphanumeric identity record which was processed as explained above 
and either approved or rejected in steps 66 and 68, respectively. 

After the biometric record is stored in buffer 86, buffer 86 then queries 
approved file 70 and derogatory file 72 for matching alphanumeric identity 
information. If a match is found in file 70, the approved alphanumeric identity record 
and the approved biometric record are coupled in storage device 88 and transmitted to 
identity escrow server or database 90 ("Virtual Safety Deposit Box"). Accordingly, 
each enrolled user's approved alphanumeric and biometric records are stored in 
identity escrow database 90 ready for use in the verification process. Each user's 
records can be further coupled to ancillary database 92, which may contain any other 
personal information such as financial and medical records. Conversely, if a match is 
found in file 72, the user's biometric is coupled with the user's alphanumeric data 
from derogatory subfile 74 and transmitted and stored in biometric subfile 76. 

B. Verification System. 

Referring to Fig. 6, verification system 100 comprises input devices 46 and 48, 
searchable identity escrow server or database 90 and output device 116. Input devices 
46 and 48, detailed above, are connected to identity escrow database 90 through the 
internet, by telephone, or by any other signal transmission means known in the art. 
Database 90 serves as the central verification clearinghouse for the approval or 
disapproval of a request for identity verification. Database 90 can take any form as 
known in the art and will typically reside on a mainframe computer. Database 90 may 
be connected to ancillary information databases 92. The system of the present 
invention further comprises means for linking escrow database 90 to third party 
providers 92 of information specific to individual customers to be stored in 
connection with the approved identity data signal and biometric data signal. Such 
third party providers can include any database or set of information such as, for 
examples, banks, hospitals, doctors, lawyers, and financial services entities. Output 
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device 1 16 is any known device capable of sending electronic messages to third party 
118, such as a modem or other internet connection means. 

2. System Operation. 

A standard personal computer capable of internet access or a standard 
5 telephone or other known telecommunication device are compatible with the system 
of the present invention. Computer system 10, for example, can be employed. 
Computer system 10 further comprises biometric input device 48, which is a 
combination of hardware and software and enables the user to provide the biometric 
exemplar for enrollment into the system, but also the biometric samples for each use 

10 of verification system 100. Biometric input device 48 is selected from a wide variety 
of available technology, including fingerprint recordation devices, voice print 
recorders, retinal image recorders, hand geometry recorders, and the like. Device 48 
can be combined with a camera so that a photograph or digital image becomes a part 
of the biometric data record. The biometric data record is preferably encrypted to 

1 5 enhance security. Depending upon their construction and sensitivity, devices 48 vary 
in ability to resist fraud. Consequently, e-retailers may dictate more stringent device 
parameters for high-valve, high-security transactions (e.g., stock trades), or less 
stringent parameters for low-value, low-security transaction (e.g., sale of $20.00 
item). Because almost all biometric devices 48 have different sensitivities and error 

20 rates they thus have different software attendant thereto. As explained above, the 
system of the present invention communicates with the CBA 78 during enrollment 
and verification (as part of a predetermined third set of criteria) to ensure accuracy of 
the biometric sample. 

To enroll in system 50, users provide alphanumeric identity data via the 
25 internet, by telephone, by mail, etc. System 50 (as well as system 100) assigns and 
encrypts this data, prepares forms for mailing and signature and communicates with 
third party networks. As described above in connection with enrollment system 50, 
such identity data is searched against existing data in database 60 and scored to 
determine the existence of suspicious identity records. All suspicious records are 
30 copied to derogatory file 72, and the users providing such information are declined 

from enrollment system 50 or are requested to provide additional information. Notice 
to such users is by e-mail or other known means. Consequently, enrollment includes 
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a confirmation step, to a high degree of certainty, that the particular individual is who 
he/she says he/she is. 

Enrollment further comprises acquiring from the user data representing one or 
more of the individual's biometric characteristics. After successful processing by 
5 CBA 78, such data is stored in biometric suspense buffer 86. Multiple biometric data 
samples are preferred so as to account for variations among the samples and to 
increase the reliability of authentication. As detailed above, in order for the system to 
be ready to verify a user's identity, the biometric data record is then stored in database 
90 in association with the user's approved alphanumeric identity record of file 70. 

10 Preferably, but not required, system 50 assigns each user an anonymous or 

shared personal identification number or name ("PIN"). This PIN is coupled to the 
user's alphanumeric and biometric records and is shared with many other users. The 
PIN may be coupled to such records by the party seeking verification, i.e., the 
merchant, financial institution or government. The purpose of using a shared PIN is 

15 that it speeds the verification process. For example, system 50 has assigned (or the 
user has chosen) "Sammy Sosa" as the user's PIN. If there are 9,999 other users 
utilizing "Sammy Sosa" as their PIN, system 100 only has to search 10,000 files 
during verification. The PIN may be in alphanumeric or digital voice form. Although 
the system of the present invention will function using an individualized, non-shared 

20 PIN, there are disadvantages besides slowing verification system 1 00 with which to 
contend. For example, the user may be in a location where her/his PIN can be seen 
overheard by third parties. Conversely, with a shared PIN, there is no need to keep it 
confidential. 

Users can be individuals or business entities and, thus, enrollment can take 
25 many forms. For example, authorization can be restricted to one or more individuals 
within a particular organization. 

During verification, verification system 100 receives encrypted alphanumeric 
and/or biometric identity data via devices 46 and/or 48. Such identity data can be 
transmitted to system 100 from virtually anywhere using known computer and 
30 telecommunications technology. Applications include e-commerce transactions 
where a website requests verification of the identity of one of its users prior to 
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completing a transaction; home security systems, military security systems and 
countless other applications. Such third parties and e-commerce providers are 
preferably registered with system 100. Upon transmission, these data are decrypted 
by database 90 using a channel supporting secure socket layer (SSL) or some other 
5 security protocol. Database 90 then determines whether it has enrolled the claimed 
identity of the user seeking authentication. CBA 78 and database 90 preferably filter 
out unacceptable messages. Such messages can include those claiming an identity 
that does not agree with any records available in database 90, such as messages 
containing PINs or identity data of persons not enrolled in system 100, or messages 
10 from websites not registered with system 100. 

In configurations using PINs, preferably shared PINs, database 90 preferably 
determines whether the transmitted PIN matches any of the PINs in database 90. 
Within the identities stored under the shared PIN, each biometric technology has 
varying capabilities of performing limited 1 to N searches. 

15 The identity escrow server/database 90 compares the alphanumeric and 

biometric data (or the biometric data alone) of each transmitted message with the 
records stored in the database 90. Recall that the biometric transmission is first 
processed by CBA 78, although this step is not essential to successful operation. To 
verify the individual's claimed identity, database 90 typically compares the 

20 transmitted biometric data to the records of the enrolled individual. 

A user's live data may fail to match exactly the user's biometric records. This 
occurs because acquisition of biometric data is subject to variations, both in the 
enrollment mode and in verification mode. Accordingly, CBA 78 and database 90 
preferably employ comparison algorithms that do not require exact matches between 

25 the live data and records, but provide a high level of accuracy. The comparison 

algorithms generally are implemented to determine the statistical closeness of the live 
data to the records. In that implementation, database 90 produces an affirmative 
response in the event of a sufficient match, i.e., if the closeness determination yields a 
result that falls into a selected range of confidence determined to be acceptable. In 

30 contrast, database 90 produces a negative response if the result falls into a selected 
range of confidence determined to be unacceptable. Database 90 preferably also 
supports an indeterminate response (e.g., try again/provide more data) if the above 
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ranges are not complementary and the result falls between such ranges. The 
indeterminate response can also result for other reasons, including that database 90 is 
down, busy or otherwise. The ranges of sensitivity used in the comparison algorithms 
may vary among biometric characteristics. For example, a range having high 
sensitivity may be selected for highly secure transactions and vice versa. In any case, 
optimum sensitivity selections are generally made to strike a balance between false 
positives and false negatives. 

Following each verification, database 90 produces a response in steps 110, 112 
and 114. Database 90 transmits the response to output device 116, the response being 
that the user's identity is or is not verified from processing steps 110 and 1 12, or that 
system 100 contains no data for such user from processing step 114. Output device 
116, and system 100 for that matter, only transmits to third party 118 whether or not 
the user is verified or that no records exist. No identity data of any kind is ever 
transmitted to third party 118. Thus, verification system 100 is highly secure against 
hackers. 

If output device 116 transmits a "No" message resulting from step 112, third 
party 118 and system 100 may employ a predetermined set of criteria to request the 
user to re-attempt verification. The number of re-attempts allowed may depend on the 
level of security for the particular transaction. 

If, in step 1 14, no record is found in database 90, this message is transmitted 
by output device 1 16 to third party 118. Third party 118 may then electronically or 
telephonically direct the attempted user to enrollment system 50 through a different 
website or server, or enrollment system 50 may be integrated with third party 1 1 8's 
system so as to seamlessly enroll the user into system 50. Alternatively, third party 
118 may provide the attempted user with a website address or link, telephone number 
or mailing address for direct contact with system 50. 

Plural verification systems 100 and enrollment systems 50 can be employed 
such that verification can be specific for a particular third party 118. For example, a 
bank may operate a captive database 90 only for its customers who have registered 
with system 50 when opening their respective bank accounts. Conversely, in an open 
structure, database 90 can process verification requests from any source. 
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The identity verification system of the present invention can be employed for 
any type of transaction or event where verification of the user is necessary or helpful 
to prevent identity fraud. Such transactions may include any e-commerce transaction 
such as the purchase of goods using a credit card where, as part of the computerized 
5 credit card authorization process, the user is queried as to whether he/she has 

previously enrolled in system 50 and, if so, is asked to supply the necessary biometric 
to be processed through verification system 100. Once system 100 responds with a 
"Yes" to the credit card vendor, the vendor can authorize the charge and the retailer 
may complete the transaction, the vendor having received verification with a high 
10 level of confidence that the user of the credit card is the actual owner of the card. 

The present invention further relates to a system a method for providing users 
of systems 50 and 100 with a warranty against the theft of their identity data. 
Warranty system 200 is linked to systems 50 and 100 by hyperlink or other 
telecommunication means. System 200 is similar to system 10 and comprises like 

15 components: Processor 202, mass storage device 204, memory 206, peripheral device 
208, input 210, portable storage medium drives 212, graphics subsystem 214, audio 
subsystems 216, display 218, output device 220 connected by bus 222. System 200 
may be further connected to a network 224, such as the internet 226 and third parties 
228. As with system 10, events 230 trigger software 232 to activate and run system 

20 200. Upon the request of a customer using systems 50 and 100, warranty coverage 
can be purchased. Such coverage protects the customer from the theft or misuse of 
his/her identity data used in systems 50 and 100. 

3. User Interface. 

As illustrated in Fig. 7, the user views the welcome screen on display 26 in an 
25 internet application of the present invention. Using device 48, the user inputs the 

requested alphanumeric information and submits a biometric exemplar. The user then 
clicks "submit" to continue. The screen shown in Fig. 8 is then displayed and, if the 
user has been approved, he/she is queried for the warranty coverage. If the user clicks 
"yes," he/she is taken to the next screen (Fig. 9). The user then clicks on "continue" 
30 to activate system 200 whereupon additional screens are engaged to enroll and use 
system 200. 
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Figs. 10-13 are additional screen displays of the verification system of the 
present invention. 

While the present invention has been described in connection with the 
preferred embodiments, it will be understood that modifications thereof within the 
above principles will be evident to those skilled in the art and, thus, the invention is 
not limited to the preferred embodiments but is intended to encompass such 
modifications and all equivalents thereto. 



